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(57) ABSTRACT 



Methods and systems are directed to dynamically mirroring 
a connection between network devices. Mirroring is man- 
aged by forwarding a packet between a first network device 
and a second network device. In one method, the first 
network device receives the packet from a client and com- 
municates the packet to the second network device. A 
forwarding device, pre-determined from the first and second 
network devices, forwards the packet to a server. The first 
network device receives a response from the server, and 
communicates it to the second network device. The forward- 
ing device forwards the response packet to the client. In one 
configuration, the first network device and forwarding 
device is an active device, and the second network device is 
a standby device. In another configuration, the first network 
device is a standby device, and the second network device 
and forwarding device is an active device. 

45 Claims, 8 Drawing Sheets 
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Standby network device 108 is configured to perform sub- tion, and variations in the arrangement and type of the 

stantially the same operations on the mirrored packet as components may be made without departing from the spirit 

active network device 106 might perform. However, standby or scope of the invention. 

network device 108 is configured typically not to send out its As shown in the figure, system 300 includes client 102, 

output, unless it becomes the active network device. During 5 wide area network (WAN)/local area network (LAN) 104, 

a complex operation, such as SSL, standby network device active network device 306, standby network device 308, and 

108 is configured to receive and employ certain information server computer 110. Components numbered similar to 

from active network device 106. Such information may those in FIG. 1 can operate in substantially similar ways, 

include a random seed, a server-random, encryption keys, Active network device 306 is configured to perform similar 

certificates, and the like. Standby network device 108 may to to active network device 106 in FIG. 1. Similarly, standby 

also receive and employ certain information from active network device 308 is configured to perform similar to 

network device 106 during other situations. This additional standby network device 108 in FIG. 1. A difference between 

information may include an initial sequence number, and the the environment shown in FIG. 1 and that shown in FIG. 3 

like. ' is that the WAN/LAN 104 is in communication with client 

Communicating virtually the same packets to standby 15 102, active network device 306, and standby network device 

network device 108 enables standby network device 108 to 308. Active network device 306 is also in communication 

construct virtually an equivalent internal state, substantially with standby network device 308 and with server computer 

similar to one maintained by active network device 106. 110. Standby network device 308 is further in communica- 

This enables a more rapid failover response should active tion with server 110. 

network device 106 fail than might occur should standby 20 The flow of packets shown in FIG. 3 is described in more 
network device 108 have to regenerate the actions from detail below in conjunction with FIG. 7. Briefly, however, as 
static information about the connections. This also enables shown in FIG. 3, reliability of mirrored connections is 
complex, high-level protocols, such as compression, SSL, ensured by arranging packets to be sent to standby network 
and the like, to be mirrored with minimal additional state device 308 first. Standby network device 308 is configured 
information transferred from active network device 106. In 25 to forward the packets to active network device 306. Active 
some instances, such as with a compression action, virtually network device 306 forwards the packets as with non- 
no transfer of state information may be needed. mirrored connections. 

FIG. 2 illustrates one embodiment of an environment in FIG. 4 illustrates a functional block diagram of one 
which a system operates for managing reliability of a embodiment of a network device in which the invention may 
mirrored connection using a standby response configuration. 30 be practiced. It will be appreciated that not all components 
Not all the components may be required to practice the of network device 400 are illustrated, and that network 
invention, and variations in the arrangement and type of the device 400 may include more or fewer components than 
components may be made without departing from the spirit those shown in FIG. 4. Network device 400 may operate, for 
or scope of the invention. example, as a router, bridge, firewall, gateway, traffic man- 
As shown in the figure, system 200 includes client 102, 35 agement device, distributor, load balancer, server array 
wide area network (WAN)/local area network (LAN) 104, controller, or proxy server. The communications may take 
active network device 206, standby network device 208, and place over a network, such as network 104 in FIGS. 1-3, the 
server computer |l0. ( Components numbered similar to those Internet, a WAN, LAN, or some other communications 
in FIG. 1 operate substantially similar. Active network network known to those skilled in the art. 
device 206 is configured to perform similar to active net- 40 As illustrated in FIG. 4, network device 400 includes a 
work device 106 in FIG. 1. Similarly, standby network central processing unit (CPU) 402, mass memory, and a 
device 208 is configured to perform similar to standby network interface unit 412 connected via a bus 404. Network 
network device 108 in FIG. 1. A difference between the interface unit 412 includes the necessary circuitry for con- 
environment shown in FIG. 1 and that shown in FIG. 2 is necting network device 400 to network 104, and the like, and 
that the WAN/LAN 104 is in communication with client 45 is constructed for use with various communication protocols 
102, active network device 206, and standby network device including the TCP/IP and UDP/IP protocol. Network inter- 
208. Active network device 206 is also in communication face unit 412 may include or interface with circuitry and 
with standby network device 208 and with server computer components for transmitting messages and data over a wired 
110. Standby network device 208 is further in communica- and/or wireless communications medium. Network interface 
tion with server 110. 50 unit 412 is sometimes referred to as a transceiver. 

The flow of packets shown in FIG. 2 is described in more The mass memory generally includes random access 

detail below in conjunction with FIG. 6. Briefly, however, as memory ("RAM") 406, read-only memory ("ROM") 414, 

shown in FIG. 2, standby network device 208 is configured and one or more permanent mass storage devices, such as 

to send substantially all mirrored packets, including hard disk drive 408. The mass memory stores operating 

acknowledgement packets as appropriate, forwarded con- 55 system 416 for controlling the operation of network device 

nection data, and the like, that might typically be sent by 400. The operating system 416 may comprise an operating 

active network device 106 as shown in FIG. 1. Moreover, system such as UNIX, LINUX™, Windows™, and the like, 

should a packet be dropped, corrupted, and the like, while In one embodiment, the mass memory stores program 

being transferred between active network device 206 and code and data for implementing a connection mirroring 418, 

standby network device 208, the appropriate network peer is 60 and related program code and data, in accordance with the 

configured to retransmit the packet, data, and the like, present invention. The mass memory may also store addi- 

virlually the same as if it had been dropped at any other point tional programs 424 and data for performing the functions of 

in the network. network device 400. Programs 424 may also include appli- 

FIG. 3 illustrates one embodiment of an environment in cations that are employed by connection mirroring 418 to 

which a system operates for managing reliability of a 65 handle complex, high-level protocols, including, but not 

mirrored connection using a standby first configuration. Not limited to, compression and Secure Socket Layer (SSL) 

all the components may be required to practice the inven- operations on packets. 
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forwarding the copy of the packet to another network 
device, wherein the copy of the packet is forwarded 
exclusively by the standby network device; 

receiving, exclusively by the active network device, a 
response packet from the other network device; 5 

communicating a copy of the response packet to the 
standby network device; and 

forwarding, exclusively by the standby network device, 
the copy of the response packet towards the resource. 

20. The method of claim 19, further comprising: to 
synchronizing the standby network device with the active 

network device by communicating pre-determined 
information about each active connection to the 
standby network device on a busiest connection first 
order of connections. 15 

21. The method of claim 20, wherein the pre-determined 
information includes at least one of a change in a sequence 
number, and a Network Address Translation (NAT), and a 
port address translation. 

22. A method for mirroring a connection in a network, 20 
comprising: 

receiving, exclusively by a standby network device, a 

packet from a resource; 
forwarding a copy of the packet to an active network 

device; 25 
forwarding a copy of the packet to another network 

device, wherein the copy of the packet is forwarded by 

the active network device; 
receiving, by the standby network device, a response 

packet from the other network device; 30 
forwarding a copy of the packet to the active network 

device; and 

forwarding, exclusively by the active network device, the 
copy of the response packet towards the resource. 

23. The method of claim 22, wherein forwarding the copy 35 
of the packet to the other network device further comprises 
transforming the copy of the packet, and wherein forwarding 
the copy of the response packet further comprises trans- 
forming the copy of the response packet. 

24. The method of claim 23, wherein transforming the 40 
packet further comprises sharing information associated 
with the transformation between the active network device 
and the standby network device. 

25. A network device, for mirroring a connection with 
another network device in a network, comprising: 45 

a transceiver arranged to receive and forward a packet; 
a processor, coupled to the transceiver, that is configured 
to perform actions, including: 

receiving a packet from a resource, wherein the packet 
is sent exclusively towards the network device by the 50 



communicating the packet to the other network device; 

if the network device is a forwarding device, exclu- 
sively forwarding the packet towards a server; 

receiving a response packet from the server; 

communicating the response packet to the other net- 
work device; and 

if the network device is the forwarding device, exclu- 
sively forwarding the response packet towards the 



26. The network device of claim 25, further comprising: 
if the other network device is the forwarding device, 

enabling the other network device to forward the packet 
towards the server, and to forward the response packet 
towards the resource. t 

27. The network device of claim 25, wherein the network 
device and the other network device a 



operate as at least one of a load-balancer, a router, a firewall, 
a proxy, a bridge and a network address translation device. 

28. A standby network device, for mirroring a connection 
with an active network device in a network, comprising: 

a transceiver arranged to receive and forward a packet; 
a processor, coupled to the transceiver, that is configured 

to perform actions, including: 

receiving a packet exclusively from a resource; 

communicating a copy of the packet to the active 
network device; 

receiving a response packet from another resource, 
wherein the response packet is in response to the 
other resource receiving a copy of the packet exclu- 
sively from the active server; and 

communicating a copy of the response packet to the 
active network device. 

29. The standby network device of claim 28, wherein the 
active device is configured to communicate an acknowl- 
edgement packet to the resource in response to receiving the 
copy of the packet, and to further communicate another 
acknowledgement packet to the other resource in response to 
receiving the copy of the response packet. 

30. A system for mirroring a connection in a network, 
comprising: 

(a) a first network device, configured to perform actions, 
including: 

receiving a packet from a |resource [ wherein the packet 
is sent exclusively towards the first network device 
by the resource; 

sending the packet to a second network device; 

if the first network device is a pre-determined forward- 
ing network device, forwarding the packet towards 
another resource, wherein the packet is sent towards 
the other resource exclusively by the first network 

receiving a response packet from the other resource; 

if the first network device is the pre-determined for- 
warding network device, forwarding the response 
packet towards the resource, wherein the response 
packet is sent towards the resource exclusively by 
the first network device; and 

(b) the second network device, coupled to the first net- 
work device, and configured to perform actions, includ- 
ing: 

receiving the packet from the first network device; and 
if the second network device is the pre-determined for- 
warding network device, forwarding the packet 
towards the other resource, and forwarding the 
response packet towards the resource, wherein the 
packet is sent towards the other resource exclusively by 
the second network device, and the response is sent 
towards the resource exclusively by the second network 

31. The system of claim 30, wherein the first network 
device is an active network device, the second network 
device is a standby network device, and the forwarding 
network device is the active network device. 

32. The system of claim 30, wherein the first network 
device is an active network device, the second network 
device is a standby network device, and the forwarding 
device is the standby network device. 

33. The system of claim 30, wherein the first network 
device is a standby network device, the second network 
device is an active network device, and the forwarding 
device is the active network device. 



